Skip to content

Commit

Permalink
dump raw service principals and applications in JSON and add a timest…
Browse files Browse the repository at this point in the history 
…amp to Search-O365
  • Loading branch information
EmilienCourt authored and EmilienCourt committed Jul 25, 2023
1 parent e73d085 commit fbb2d40
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 2 deletions.
5 changes: 5 additions & 0 deletions DFIR-O365RC/Get-AADApps.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@
"Getting all service principals" | Write-Log -LogPath $logfile
$uriSP = "https://graph.microsoft.com/v1.0/servicePrincipals/"
$ALLServicePrincipals = Get-RestAPIResponse -RESTAPIService "MSGraph" -uri $uriSP -logfile $logfile -app $app -user $user
$sp_outputfile = $foldertoprocess + "\AADApps_" + $tenant + "_service_principals_raw.json"
$ALLServicePrincipals | ConvertTo-Json -Depth 99 | out-file $sp_outputfile -encoding UTF8

$EnrichedSPEvents = @()
$UniqServicePrincipals = $SPEvents | Select-Object -ExpandProperty targetResources | Group-Object -Property id
Expand Down Expand Up @@ -145,6 +147,9 @@
#merge existing and deleted Apps
$ALLApps += $DelApps

$apps_outputfile = $foldertoprocess + "\AADApps_" + $tenant + "_applications_raw.json"
$ALLApps | ConvertTo-Json -Depth 99 | out-file $apps_outputfile -encoding UTF8

$EnrichedAppEvents = @()
$UniqApps = $AppEvents| Select-Object -ExpandProperty targetResources | Group-Object -Property id
#Loop through Apps present in activity logs
Expand Down
5 changes: 3 additions & 2 deletions DFIR-O365RC/Search-O365.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Function Search-O365 {
Function Search-O365 {

<#
.SYNOPSIS
Expand Down Expand Up @@ -79,10 +79,11 @@ Function Search-O365 {
$sessionName = "EXO_" + [guid]::NewGuid().ToString()
$tenant = ($token.Account.UserName).split("@")[1]
$outputdate = "{0:yyyy-MM-dd}" -f ($datetoprocess)
$actualdate = $(get-date -f yyyy-MM-dd-hh-mm-ss)
$foldertoprocess = $unifiedauditfolder + "\" + $datetoprocess
if ((Test-Path $foldertoprocess) -eq $false){New-Item $foldertoprocess -Type Directory}

$outputfile = $foldertoprocess + "\UnifiedAuditLog_" + $tenant + "_" + $outputdate + "_" + $requesttype + ".json"
$outputfile = $foldertoprocess + "\UnifiedAuditLog_" + $tenant + "_" + $outputdate + "_" + $requesttype + "_" + $actualdate + ".json"
$commandNames = "Search-UnifiedAuditLog","Search-MailboxAuditLog"
Connect-EXOPsearchUnified -token $token -sessionName $sessionName -logfile $logfile -commandNames $commandNames

Expand Down

0 comments on commit fbb2d40

Please sign in to comment.